BIAS Attack Affects Almost All Bluetooth-Enabled Devices

Security researchers have developed an attack, called Bluetooth Impersonation AttackS (BIAS), that would let bad actors compromise the security of a Bluetooth connection for any standard-compliant device.

Bluetooth is present in much of today’s technology, including IoT devices, laptops, computers, phones, and most everything else. Any vulnerability in the communication protocol will affect countless devices.

Three security researchers, Daniele Antonioli, Kasper Rasmussen, Nils Ole Tippenhauer, published their research on the BIAS vulnerability and notified the Bluetooth Special Interest Group (Bluetooth SIG). This organization manages the implementation and development of the protocol.

“We found and exploited a severe vulnerability in the Bluetooth BR/EDR specification that allows an attacker to break the security mechanisms of Bluetooth for any standard-compliant device,” said the researchers.  “As a result, an attacker can impersonate a device towards the host after both have previously been successfully paired in absence of the attacker.”

When two Bluetooth-enabled devices first communicate, they have to pair. They do so by exchanging long-term keys. When they communicate subsequently, they have to prove possession of the long term key.

In the published paper, the researcher showed a vulnerability in the Bluetooth standard contains allows targeting of the authentication phase of secure connection establishment, including the legacy authentication procedure used for Legacy Secure Connections (LSC) and the secure authentication procedure used for Secure Connections (SC). Basically, the attackers can spoof any side, without possessing the long term key.

The attack was successful against all major hardware and software vendors, with a total of 28 unique Bluetooth chips, including from Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR.

Since the researchers followed responsible disclosure procedures, many of the still-supported devices have received fixes, but any device that hasn’t been updated since November 2019 remains at risk. Unfortunately, that includes a large number of devices that are still operating but are no longer supported by their manufacturers.